There are certain requirements that you must meet in order to be an effective penetration tester in a freelance consultant role. The requirements deal with your level of security skills, your systems and network knowledge, the depth and breadth of tools at your disposal, and the OS and hardware on which you use them. Also critical is your attention to record keeping and maintaining the ethics of security. Potential employees of security consultants performing penetration services should consider the following list before hiring a consultant.

      A security consultant must be at least at the system administrator level in order to effectively render security advisory services. This is not to say that script kiddies do not recognize security flaws or cannot hack, they often do more damage that hackers at any other level. Script kiddies generally do not have a complete understanding of the tools and exploits they use, and therefore they either miss critical holes or potentially damage systems.

      As a paid consultant, you are expected to definitively assert what you are doing and all the potential effects your actions may have. Specifically, you should be able to defend your choice of tool, why you use it, and what you use it for during testingg. You are also expected to answer any and all questions related to a tool's configuration. Some of theese security tools can cause considerable damage or downtime to networks if not used properly. At the conclusion of the test, you will be asked to articulate the method used to penetrate the systems and to deliver recommendations on how to fix the security holes identified during testing.

      Successful security consultants should be familiar with several pieces of technology, suc as firewalls, intrusion detection systems, sniffers, audit tools, authentication mechnisms - the list goes on. While it is certainly advisable to be and expert in as many technologies as possible, the tester must at least be familiar with how the technology works (and the products that implement the technology) in order to find ways around the security that these systems provide. The tester should be knowledgeable in all the major operating systems (Windows, UNIX, Mac OSm and possibly Novel) and an expert in one. In-depth knowledge of TCP/IP and networking protocols is required. Knowledge of application programming or past programming experience can also be helpful since many new exploits are constantly released as "working" code with occasional flaws. Such experience comes in handy when writing various attacks, such as buffer overflows.

      The tester must be able to use various hacking tools, scripts, and exploits in order to test for known bugs and vulnerabilities. Further, the tester should have access to vulnerability services that can keep him or her apprised of the latest hacking tools, scrits, and exploits as well as new security bugs discovered in all the major hardware, software, and operating systems. This does not have to be a paid service, but it must be reliable and up-to-date, and it must provide information on how to exploit known bugs as well as offer a comprehensive collection of exploits and tools.

      Keeping current on the latest security developments and trends is essential for any successful security consultant. The security consultant should subscribe to and participate in a collection of security e-mail lists. In addition to reading technical material, security consultants should periodically review what is being posted to "underground" Web sites. The best way to defend against or expoilt threats is to understand them. Later on, we will present several Web sites, e-maillists, and other sources of information as a good starting point for learning anout and keeping abreast of developments in security industry.

      Consultants develop a collection of useful software, a tool kit, with tools and scripts for performing all types of security work, such as vulnerability testing, penetration testing, dial-in penetration, Internet penetration, denial of service, password cracking, buffer overflows, and risk assessments. This tool set should cover both the Windows (9x/NT/2000) and the UNIX (including the variants, Linux, HP/UX, AIX, IRIX, DG/UX, the BSDs, and so on) operating systems. Later on we will include tools that we have found useful, but by no means do they form the definitive tool kit. As your own technique is developed, you may find additional or alternative tools that work better for your style.

      Penetration testing often uses a lot of CPU time and bandwidth. The more powerful the machine, the better the efficiency. We have found that a dual-boot Linux/NT (with the latest CPU, the most RAM, and as fast as possible) to be an adequate configuration. A laptop is often better that a ddesktop because it allows for mobility. Running VMWare allows you to run both operating systems simultaneously. This adds convenience, in that tools are generally available for at least one of these environments, but it costs more in terms of processor speed and memory.

      Additionally, running a keystroke capture utility is and effective way to log the test. These utilities record and time stamp all activities at the keystroke level, to some extent offloading the record-keeping burden from you to the laptop.

      Keeping accurate, detailed records is a critical activity for a penetration tester. We recommend your records provide enough detail to recreate the penetration test steps. In the unforunate events that a company should claim that a consultant is responsible for damages incurred as a result of penetration testing, reviewing the records will be the first step in resolving the issue.

      The record should detail everything that was performed during testing, including every tool used and every command issued and the systems or IP addresses against which they were used. A useful practice is to document your procedures as you perform them and to use the last part of the day to type up your notes and record your results.

      Occasionally a system administrator might accuse a tester of being responsible for attacks that took place before or after the work was performed. In order to defend against these accusations, detailed documentation is required. Logs from a keystroke capture utility as well as your own notes provide the basis of defense

      Not only is it important to keep track of the actions performed during the penetration testing, it is also important to keep track of all the information gathered on your client. This may include information on weaknesses in the client's network, password files, the bussiness process, and any intellectual property such as documentation on patent-pending processes. It is important to keep this information so you can present it to the client to verify you were able to access it and to stress the importance of the weaknesses that allowed you to obtain it. However, all information obtained from the client should be treated as highly confidential. If this information were to get out, to a hacker or a competing firm, it could put the client at a significant competitive disadvantage, leading to a loss of capital. In addition, news of a successful penetration test may also lead to a drop in a consumer confidence.

      Penetration testing engagements are bound by the scope and length set forth in the rules of the engagement. These rules are specified by the client and enable the organization to feel comfortable enough to allow the testing to proceed. Thes rules address issues of denial of service, contact information, scope of project, and timetables. this information provides the boundaries of engagement and cannot be misinterpreted.

      At issue here is trust. One of the key things security consultants have to offer their clients is assurance and confidence that while the consultant is examining the client's security, they will not be planting back doors or compromising the client's network. Unfortunately, there is no script or tool that guarantees the consultant's integrity. Each consultant must carefully protect his or her integrity on every engagement and assignment. if your integrity is questioned, even onece, you will not recover from the accusation. There is little room for error, accidents, or problems. Penetration testing requires the client to give a great deal of trust to a consultant. the trust must be protected.